Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

sweetpea86 writes "Mekong Development has become the first bank in Vietnam to launch fingerprint authentication enabled debit cards. Fingerprints are captured by Mekong Development at the point of opening an account, and then can be used, instead of a pin, to access funds. Not only has Mekong's account base tripled through the use of fingerprint technology since its launch in June, but the deposit balance per debit card account is two times higher than a regular account."

A few assumptions there, not the least of which is intelligent criminals.

That said, I think both this and the original post miss the point. I doubg jacking people's fingers for card robberies is going to happen. It requires the criminal to not only be willing to steal a card and info, but, to actually harm someone who is complying with them.... less people will be willing, especially isnce it will be a more heinous crime if they are caught.

Fingerprint readers are a lot more expensive then a card reader. It's also trivial to install a second magstripe in an existing card reader, but it's a lot harder to mess with a fingerprint reader. Fingerprints aren't perfect (and fingerprint readers can certainly be broken), but they are a big step up from 4 or 6 numbers.

Thats a really good point, I hadn't thought of that. Perhaps the card needs the card reader? Smart card, with built in finger print reader, and using a challenge/response authentication, so that a sniffer in the middle can't just grab static data and reuse it?

Huge increase in complexity and cost, but, I don't know if there is a way around it for this problem set.

Well... at least in terms of shutting it down. In terms of keeping them away from your bank, it probably works very well. Why would you produce suc

A few assumptions there, not the least of which is intelligent criminals.

Since nine out of ten crimes go unsolved, I'd say 90% of the criminals are smarter than the cops.

What this really does, and I think will do well, is put a stop to wholesale theft.

Unless the technology has improved greatly in the last few years, it can be defeated with a gummy bear. IMO the best tech, from a consumer point of view (not from a bank, obviously) is the old fashioned paper and carbon with a signature. They have the added ad

I think the other poster who pointed out that finger print readers wouldn't be hard to add, if they are already doing hidden cameras and card readers, really hit the nail on the head.

Gummy bears are fine, but realise, the "gummy bear" trick is still a lot more effort than watching a video and seeing what numbers someone hit. I would bet you could review 10s of videos in the time it would take to produce 1 good fingerprint from any of these methods.

I do hope that they back it up with a PIN, making it full three-factor authentication. While biometrics are useful in being unique identifiers, they are not secrets [schneier.com]. An attacker could use the gummi bear fingerprint technique [schneier.com] using latent fingerprints extracted from a stolen card...

Your're missing the point. The bank has more customers and is holding more of their customers money. Regardless of how more or less secure it is, the bank's decision is working. If it required a PIN and a fingerprint, the bank may have lost customers, but I could be wrong, don't know, market research may have already figured it out.

So long as liability follows responsibility... Taking calculated risks, like offering unsecured or partially/illiquidly secured loans, or going with lousy-but-convenient UX choices, is one of the things that banks do because they turn out to be profitable if you do them right. As long as they accept the downsides of that, like the occasional default or account breach, that isn't a problem and might well be a virtue.

If, however, they manage to insulate themselves from those consequences, whether by wholesale

The banks are just shifting more and more risks and responsibilities for losses to their customers.They prefer to call stuff ID Theft rather than some sort of fraud. Since with ID Theft it's their customer's problem, whereas with fraud it might be their problem.

They also prefer debit cards. With credit cards, when "stuff happens", it's not my money that's gone, it's someone else's. They may try to get the money from me, but meanwhile I have my money. Whereas with debit cards, when "stuff happens" it's my mo

I do hope that they back it up with a PIN, making it full three-factor authentication. While biometrics are useful in being unique identifiers, they are not secrets [schneier.com]. An attacker could use the gummi bear fingerprint technique [schneier.com] using latent fingerprints extracted from a stolen card...

In addition, The Mythbusters also fooled fingerprint scanners using the same techniques as the Schneier link (above), and also with a photocopy of a fingerprint [discovery.com]:

A 3-D thumbprint imprinted on a latex strip to be worn over someone else's thumb.

A 3-D thumbprint imprinted on ballistics gel, which has the same viscosity and density as human tissue.

The fingerprint reader at my local video store failed miserably and they had to give me a regular PIN. I do rock climb a lot in the summer and my fingerprints sort of wear off. What about people like me? Can't you bank there?

The use of a fingerprint and a pin together would raise the security further still. Many institutions are switching to two forms of authentication, which is why you're seeing more security questions. A fingerprint is a second authentication that an account holder doesn't need to remember.

Not only has Mekong’s account base tripled through the use of fingerprint technology since its launch in June,

Without any actual numbers (say, for example, the number of accounts they had before introducing this), this is fairly meaningless. If you have 3 customers it's easy to triple them; if you have 3 million, not so easy.

but the deposit balance per debit card account is two times higher than a regular account.

This seems completely irrelevant; in the very best case it sounds like selection bias. The people using this technology will be more like to be tech enthusiasts. While I don't know the demographics of Vietnam, I know that in the States that kind of audience will typically have higher inco

This seems completely irrelevant; in the very best case it sounds like selection bias. The people using this technology will be more like to be tech enthusiasts. While I don't know the demographics of Vietnam, I know that in the States that kind of audience will typically have higher income levels.

But even that's a tenuous guess - my point was that the phrasing of the statement strongly implies that deposit balances are directly connected to card type (fingerprint vs pin); but there's nothing in TFA that supports that.

That is exactly what the point of the statement was. Banks want to have people with large accounts, implementing the print scanners on the cards increased the number of large accounts they have, therefore increasing the bank's profitability. It's probably taken directly out of a press release full of self-praise for what a great decision it was, which explains why the intent of the statement got so muddled.

That is exactly what the point of the statement was. Banks want to have people with large accounts, implementing the print scanners on the cards increased the number of large accounts they have, therefore increasing the bank's profitability. It's probably taken directly out of a press release full of self-praise for what a great decision it was, which explains why the intent of the statement got so muddled.

Exactly the point was to say that the decision was good for the bank. I've used fingerprint scanners in the past, and I have to wonder if the higher balances are from people not being able to take their money out versus actually having wealthier customers given how finkiky these scanners can be.

Yeah, get rid of the card, use the fingerprint(s) to identify the account, change the keypad to read the fingerprints as you type, use a pin, and record the exact way that the pin is entered. As always you wouldn't have perfect security, but you could probably get a % accuracy that could be adjusted on a per user basis. Also you could weed out systems trying to game the system by honey potting them and checking for patterns that indicate automatic entry.

This wouldn't work for the same reason magstripe cards are bad: replay attacks. Someone just needs to design a fingerprint skimmer keypad that would save your fingerprints and your pin and you would be screwed. Additionally, changing your fingerprints is not nearly as practical as getting a new bank card.

Mostly agree, except that you can actually watch the hand, replays could be detected as replays. More advanced systems could of course be created to mimic the angles, pression, velocity, torque, etc in a human way that mimics the original without exactly repeating itself, but then they still have to know the pin, change the pin, and all other factors change. Still I agree that is is vulnerable to someone with enough resources and the same access to the the person/machine that they require now to get acces

On the one hand, they may well have implemented 3 factor security. That's pretty cool. But on the other hand, you have to put your money in a fucking Vietnamese bank to get it. From Reuters in May of this year:

Last November, State Bank of Vietnam Governor Nguyen Van Binh said eight small banks were "unhealthy" while in January he said 10 percent of the country's nearly 50 banks were "ailing."

Apparently they have a deposit insurance program, but it's limited to about $3,000.

I've had privilege to see large amounts of transaction data from where the law of large numbers reigns supreme. The 99%ers, keep a very low to no balance, generally breaking even each month. Its insanity to look at the actual trends.

So when a bank opens a product that magically doubles the deposits, clearly they're either marketing either to a different segment, or the additional